malwarewikiaorg-20200223-history
Shifr
Shifr, also known as Gojdue, ShurL0ckr, or Cypher, is a ransomware that runs on Microsoft Windows. It was discovered by Karsten Hahn. It is part of the Windows_Security family. It is aimed at English-speaking users. To obtain a copy of this ransomware, the user needs to visit a website on the Dark Web and have their Bitcoin address nearby. A potential customer needs to enter this Bitcoin address, and the size of the ransom demand Shifr should ask from victims. After this, all that's left is for the user to solve a mundane CAPTCHA challenge and press a button. While other RaaS portals will ask for an entry fee or verify their clients to ensure only skilled crooks (and not security researchers) get their hands on ransomware samples, this service offers a fully weaponized sample in a few easy steps. Because of this openness and lack of secrecy, VirusTotal was filled with Shifr samples in a matter of days. In addition to the lack of stealth, this service is also different from other RaaS services because it's asking for a very low cut, attempting to compensate for the ransomware's lack of features.While Cerber asks for a 60% share, the Shifr operator only asks for. Because of its 10% cut, Shifr might be packed with a RAT or infostealer that would infect wannabe and inexperienced ransomware distributors, and steal any funds or tools they might have on their computers. Shifr might also be a scam. Payload Transmission Shifr is distributed as a RaaS on Darknet forums. After falling into other hands, it can begin to spread by hacking through an insecure RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers. Infection Once Shifr enters the victim's computer, it will begin encrypting the victim's files, targeting all files on the local drives, as well as on removable memory devices connected to the infected computer. Shifr will target numerous file types in its attack, including the files with the following extensions: .3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, '' .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2. Shifr marks the files encrypted in the attack with the file extension '.shifr,' making it simple to know which files have been affected by the attack. The files encrypted by Shifr will no longer be accessible and show up as blank, unrecognized icons in Windows Explorer. Shifr delivers its HTML ransom note to the victim's desktop, and the file may be opened with the default Web browser on the infected computer. The following is part of the text ofShifr's ransom note: ''Your files have been encrypted! To decrypt your files, send 0.1 Bitcoin to this address: CHARACTERS After your payment is complete. You can decrypt files with decryption program. Download decryption program here. Decryption key. Not paid yet. FAQ: Question: Where can I get Bitcoin wallet? Answer: Simple and easy to use wallet. Question: Where can I buy Bitcoins? Answer: Guide to various methods of buying Bitcoin. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan